Basic stuff

  • Check a certificate
openssl x509 -in <cert_file> -noout
  • Show a certificates properties
openssl x509 -in <cert_file> -noout -text
  • Show expiry date of cert
openssl x509 -in <cert_file> -noout -enddate
  • Generate a certificate request (CSR)
openssl req -new -newkey rsa:1024 -nodes -keyout key.pem -out cert.pem
  • Generate CSR with existing key
openssl req -new -key key.pem -out cert.pem
  • Generate a self signed cert
openssl req -x509 -nodes -days 365 -newkey rsa:1024 -keyout mycert.pem -out mycert.pem
  • Check a private key
openssl rsa -in <key_file> -check
  • Remove password from a private key
openssl rsa -in <key_file> -out <key_file>
  • Test an SSL port
openssl s_client -connect localhost:443 -state -debug
GET / HTTP/1.0
  • Convert PFX (IIS) to PEM
openssl pkcs12 -in mycert.pfx -out mycert.pem
  • View the details of a certificate revocation list (CRL)
openssl crl -in filename.crl  -noout -text
  • Verify a cert and check crl
openssl verify -crl_check -CApath /etc/ssl/certs cert.pem

CA stuff

  • Build your own CA
/usr/lib/ssl/misc/ -newca

on Arch Linux /etc/ssl/misc/
  • Create a new certificate
/usr/lib/ssl/misc/ -newcert
  • Sign a certificate
/usr/lib/ssl/misc/ -sign
  • Create a Certificate Revocation List (CRL)
openssl ca -gencrl -keyfile ca_key -cert ca_crt -out my_crl.pem
  • Revoke a certificate
openssl ca -revoke bad_crt_file -keyfile ca_key -cert ca_crt
openssl crl -in crl_file -noout -text

Java keystore

  • How to convert a PEM cert and RSA key to PKCS12 and import it into a java keystore
openssl pkcs12 -export -in mycert.pem -inkey my.key -out mycert.pkcs12
keytool -importkeystore -deststorepass mypassword -destkeystore keystore.jks -srckeystore mycert.pkcs12 -srcstorepass mypassword
  • add -ext for alternative names

Generate random bytes

openssl rand <nr_of_bytes>